This FAQ discusses how to obtain the list of different Groups an ADS user belongs to. My application uses the userÆs group membership to determine access to different functions. Thus, there is no need to maintain separate access lists.
Before using the code make sure you import System.DirectoryServices and if needed get the windows username using HttpContext.Current.User.Identity.Name . The above-mentioned FAQ has more information.
Now letÆs get into the code. I created a function called GetUserGroups which has the following input :-
a)logged on username - Make sure there is no domain name here, just the username b)domain account û an account that has access to read ADS eg. Domainname\username c)password for the domain account in (b) d)domain name. û this could be domainname.com or subdomainname.domainname.com etc.
The function returns a string value consisting of all the groups a user belongs to.
Public Function GetUserGroups(ByVal strUserName As String, ByVal strAdminUserId As String, ByVal strAdminPwd As String, ByVal strDomain As String) As String
First you need to find the username in ADS, then get the LDAP path to that object, then use the property ômemberofö to obtain the list of groups.
Try Dim deentry As DirectoryEntry = New DirectoryEntry("LDAP://" & Trim(strdomain), Trim(strAdminUserId), Trim(strAdminPwd)) Dim dsSearcher As DirectorySearcher = New DirectorySearcher(deentry) dsSearcher.Filter = ("(sAMAccountName=" & strUserName & ")") Dim srresult As SearchResult = dsSearcher.FindOne Dim userpath AS string = trim(srresult.path)
à..More code coming hereà.
Catch ex As Exception Dim debug As String = ex.Message GetUserGroups= debug
srresult.path gives the LDAP path to the user object in ADS. The path will be in the form ôLDAP:\\ CN= LastName, FirstName, DC=DOMAIN , etcà.
For testing purposes if you just want to find the LDAP path to an object the best way is to use the program ADSI Edit. You can get this program from the Windows 2000 tools on the CD.
Once we have the LDAP path to the object then all we have to do is create another directory entry using this path and then loop through the property collection or just direct the search result to what we want.
æConnect to the object Dim mySearchRoot As DirectoryEntry = New DirectoryEntry (userpath,strAdminUserId,strAdminPwd)
Dim myDirectorySearcher As New DirectorySearcher(mySearchRoot)
æGet only the result for the property ômemberofö myDirectorySearcher.PropertiesToLoad.Add("memberof") æIf you remove the above line then the program will iterate through all the properties.
Dim mySearchResult As SearchResult = myDirectorySearcher.FindOne()
æMaking sure we have results If Not (mySearchResult Is Nothing) Then
Dim strGrpList As String = "" Dim myCollection As Object
For Each myCollection In mySearchResult.Properties("memberof")
æRemoving extra LDAP path information from the collection æ You may want to modify it as per your requirements strGrpList = strGrpList & Replace(Left(myCollection, InStr(myCollection, ",OU", CompareMethod.Text)), "CN=", "")
GetUserGroups = tabl
GetUserGroups = "Path Not Found or Object not found"